人们在 LDAP 目录中通过 inetOrgPerson 使用 CN 做什么
我一直在 CN 字段中使用 givenName+" "+surname,昨晚我醒来时尖叫着“约翰·史密斯呢?”我可以想象任何大型组织都会雇用多个同名的人员。所以这当然是行不通的。人们用什么来代替?
编辑 注意:在 inetOrgPerson 中,CN 是 DN 的一部分。
编辑注意:在这种情况下,我预计用户条目会增长到数十万。
I've been using givenName+" "+surname for the CN field and I woke up screaming last night 'what about John Smith'? I can imagine any large organization employing multiple people with the same name. So of course this isn't going to work. What do people use instead?
EDIT Note: in inetOrgPerson the CN is part of the DN.
EDIT Note: in this situation I am expecting to grow to hundreds of thousands of user entries.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 LDAP 目录中,无论是 OpenLDAP 还是 Active-Directory,一条规则是 DistinguishName (DN) 必须是唯一的,独立于用于构成相对 Distinguish Name (RDN) 的属性(或多个属性)。
人们如何确保它是唯一的:
我想说,在小型企业中,在目录中创建条目的人首先通过知识,其次通过初步搜索来保证它的唯一性。如果出现重复,他会找到一些解决方案,例如“John E Smith”。使用此解决方案,如果姓名发生变化(结婚、离婚等),LDAP 记录必须从一个 DN“移动”到另一个 DN。最好尽可能避免更改条目的 DN,但在小目录中这并不重要。
在中型企业中,唯一性大多数时候是由来自人力资源部门的员工 ID 赋予的。例如 FR12345678。我看到,在大公司里,人们用员工 ID 登录。对于我在这里描述的事情,使用
uid属性来命名对象更标准,尽管cn(但有些目录不允许您选择命名)属性,我认为这是一个X500 功能)。
在大多数目录(不在 AD 中)中,您可以使用多个属性来组成 RDN。例如,
sn=Assin+TelephoneNumber=1234是 openLDAP 中的有效 RDN,并且在 PBX 中也有意义。还有一件事
在某些目录(为系统管理而设计)中,服务器端测试某些属性在整个树中是唯一的。 Active-Directory 中的
sAMAccountName或userPrincipalName就是这种情况,它们用于日志记录目的。使用带有“given-Name Name”的 CN 属性迫使管理员保证唯一性。您可以在slapd.conf的数据库定义中使用 OpenLDAP 中的唯一属性,添加:如果未编译唯一覆盖,则需要使用以下命令重新编译:
In a LDAP Directory, whatever if it's OpenLDAP or Active-Directory, a rule is that a DistinguishName (DN) must be unique, independently of the attribute (or the attributes) used to constitute the Relative Distinguish Name (RDN).
How do people make sure that it's unique :
I would say that in a small business the guy who creates the entry in the directory guarantee that it's unique, first by knowledge, second by preliminary search. If a duplicate appears he finds some solutions like 'John E Smith'. Using this solution if the name changes (marriage, divorce etc.), the LDAP record has to "move" from one DN to another. It's better to avoid changing the DN of an entry whenever possible, but in a small directory it's not important.
In a medium business the uniqueness is most of the time given by the employee ID coming from human resources. For example FR12345678. I saw, in big companies, people logging in with their employee ID. For the thing I describe here, it's more standart to use the
uidattribute to name an object in spite ofcn(but some directories don't let you choise of the naming attribute, I think it's aX500 feature).
In most directories (not in AD) you can use more than one attribute to compose the RDN. For example
sn=Assin+TelephoneNumber=1234is a valid RDN in an openLDAP and it can make sense in a PBX.One more thing
In some directories (designed for system administration) some attributes are tested by the server side as unique all over the tree. That's the case of
sAMAccountNameoruserPrincipalNamein Active-Directory and they are used for loging purpose. Using the CN attribute with "given-Name Name" oblige the administrators to guarantee uniqueness. You can use unique attribute in OpenLDAP for that in the database definition inslapd.conf, add :If unique overlay is not compiled in, you'll need to recompile with :
将我的一些经验添加到 JPBlanc 的答案中。我工作的地方有几台 LDAP 服务器/树。我们的 AD 服务器使用 DisplayName 作为 CN 的值。在 4K+ 用户中,我们只遇到过少数发生重复的情况。我相信如果存在欺骗,默认操作是在该值上添加 1。即使在该用户群的最大部分中具有很高的周转率,这种情况也令人惊讶地罕见。我们有两个不同的电子目录树,它们相互链接并且使用用户名。用户名是名字首字母+姓氏。任何重复项都附有一个递增的数字。正如你可以想象的那样,布朗一家、史密斯一家以及其他常见名字经常发生这种情况。另一棵树是 ADLDS(以前称为 ADAM)目录,它为每个新条目使用唯一生成的编号作为 CN。它基本上是一个由外部加载过程控制的自动递增数字。最后,我们有一个外部合作伙伴(例如独立代理)的目录,它使用电子邮件地址 + ID 号的组合作为 CN。
我对用户群做了很多维护工作,而我最不喜欢的方案是外部生成的数字。如果我在所有其他系统中接到有关乔·布朗的支持电话,我至少可以知道我需要在哪里浏览才能找到他。当然,一个简单的搜索过滤器会给我所有的布朗,但我仍然需要编写并执行它。所以我的建议是使用 CN 名称的某些部分并以某种方式确保唯一性。从管理的角度来看,这会容易一些。实际上,CN 很重要,但您将更多地处理其余的用户属性,因此不要太担心。
Adding to JPBlanc's answer with some of my experience. We have several ldap servers/trees where I work. Our AD server is using the DisplayName as the value of the CN. Out of 4K+ users we have only had a few instances where duplicates have occurred. I believe the default action there is to tack a 1 on the value if there is a dupe. It is surprisingly rare even with a high turn over rate in the largest section of that user base. We have two different e-directory trees that are linked to each other and those use the username. Username is first initial + last name. Any duplicates there have an incrementing number attached to them. As you can imagine that happens a lot with the Browns and the Smiths and other common names. Another tree that is an ADLDS (formerly ADAM) directory uses a uniquely generated number for each new entry as the CN. It is basically an auto-incremented number that is controlled by an external loading process. Lastly we have a directory for external partners (think independent agents) that uses a combination of email address + an id number as the CN.
I do a lot of maintenance work on the user bases and my least favorite scheme is the externally generated number. If I get a support call about Joe Brown in all of the other systems I can at least have an idea of where I need to browse to find him. Sure a simple search filter will give me all of the Browns but I still have to write it and execute it. So my advice is to use some part of the name for the CN and ensure uniqueness somehow. From an administration point of view it will be a bit easier. Really the CN is important but you'll be dealing with the rest of the user attributes far more so don't sweat it too badly.